ZEDO and other pop-ups

Unknown · November 2007

Hello, I have recently had problems with viruses and spyware. It all started by me opening some stupid .exe which made the computer reboot and now I have a lot of stuff that don't seem to go away. I have different pop-ups coming up all the time: among others an "errorsafe"-like ad (but in swedish), a "Powered by ZEDO"-titled page, a "hopelessromantic.com/pop.php", etc.

I have gone through steps 1-7 from http://icrontic.com/forum/showthread.php?t=43902 . All the programs find new stuff all the time, but nothing seems to be able to fix the problems.

Here are my logs!

Kaspersky:

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Thursday, November 15, 2007 10:22:11 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/11/2007
Kaspersky Anti-Virus database records: 459740

Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue
Scan TargetMy Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\
Scan Statistics
Total number of scanned objects163972
Number of viruses found25
Number of infected objects65
Number of suspicious objects0
Duration of the scan process02:40:12
Infected Object NameVirus NameLast Action
C:\Documents and Settings\All Users\Dokument\!ReadMe.exe Infected:
Backdoor.Win32.Gobot.v skipped
C:\Documents and Settings\Björn\Application
Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is
locked skipped
C:\Documents and Settings\Björn\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Björn\Lokala inställningar\Application
Data\ATI\ACE\Log\MOM-0.log Object is locked skipped
C:\Documents and Settings\Björn\Lokala inställningar\Application
Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Björn\Lokala inställningar\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Björn\Lokala inställningar\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Björn\Lokala
inställningar\Temp\nvcuninstall\tools\pskill.exe Infected:
not-a-virus:RiskTool.Win32.PsKill.e skipped
C:\Documents and Settings\Björn\Lokala
inställningar\Temp\Perflib_Perfdata_6c0.dat Object is locked skipped
C:\Documents and Settings\Björn\Lokala inställningar\Temporary Internet
Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is
locked skipped
C:\Documents and Settings\Björn\Lokala inställningar\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Björn\Lokala
inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Björn\Lokala
inställningar\Tidigare\History.IE5\MSHist012007111520071116\index.dat
Object is locked skipped
C:\Documents and Settings\Björn\Mina dokument\Mina mottagna
filer\mIRC.rar/mIRC/mirc.exe Infected:
not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Documents and Settings\Björn\Mina dokument\Mina mottagna filer\mIRC.rar
RAR: infected - 1 skipped
C:\Documents and Settings\Björn\ntuser.dat Object is locked skipped
C:\Documents and Settings\Björn\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Björn\UserData\index.dat Object is locked
skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked
skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Temporary
Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala
inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked
skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked
skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked
skipped
C:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\My Music\kazaa_lite.exe/data0014 Infected:
not-a-virus:AdWare.Win32.Altnet.o skipped
C:\My Music\kazaa_lite.exe Inno: infected - 1 skipped
C:\NNS\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\oaif.exe Infected: Trojan-Clicker.Win32.Costrat.by skipped
C:\Setups\acidmax202843.exe/mirc.exe Infected:
not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Setups\acidmax202843.exe ZIP: infected - 1 skipped
C:\Setups\eXeem_0.21_setup.exe/Stream/data0076/stream/data0006 Infected:
not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\Setups\eXeem_0.21_setup.exe/Stream/data0076/stream Infected:
not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\Setups\eXeem_0.21_setup.exe/Stream/data0076 Infected:
not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\Setups\eXeem_0.21_setup.exe/Stream Infected:
not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\Setups\eXeem_0.21_setup.exe Inno: infected - 4 skipped
C:\Setups\mirc612.exe/data0001.bin Infected:
not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Setups\mirc612.exe mIRC: infected - 1 skipped
C:\Setups\mirc614.exe/data0001.bin Infected:
not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Setups\mirc614.exe mIRC: infected - 1 skipped
C:\Setups\mirc616.exe/data0001.bin Infected:
not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Setups\mirc616.exe mIRC: infected - 1 skipped
C:\Setups\orange_decoder.exe/WISE0016.BIN Infected:
not-a-virus:AdWare.Win32.MyWay.c skipped
C:\Setups\orange_decoder.exe/WISE0017.BIN/WISE0011.BIN Infected:
not-a-virus:AdWare.Win32.Exact.a skipped
C:\Setups\orange_decoder.exe/WISE0017.BIN/WISE0012.BIN Infected:
not-a-virus:AdWare.Win32.Exact.a skipped
C:\Setups\orange_decoder.exe/WISE0017.BIN/WISE0013.BIN Infected:
not-a-virus:AdWare.Win32.Exact.a skipped
C:\Setups\orange_decoder.exe/WISE0017.BIN Infected:
not-a-virus:AdWare.Win32.Exact.a skipped
C:\Setups\orange_decoder.exe/WISE0018.BIN Infected:
not-a-virus:AdWare.Win32.EZula.a skipped
C:\Setups\orange_decoder.exe/WISE0021.BIN/data0001.cab/Save.exe Infected:
not-a-virus:AdWare.Win32.SaveNow.c skipped
C:\Setups\orange_decoder.exe/WISE0021.BIN/data0001.cab/SaveUninst.exe
Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Setups\orange_decoder.exe/WISE0021.BIN/data0001.cab Infected:
not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Setups\orange_decoder.exe/WISE0021.BIN/data0002.cab/Sync.exe Infected:
not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Setups\orange_decoder.exe/WISE0021.BIN/data0002.cab/Uninst.exe
Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Setups\orange_decoder.exe/WISE0021.BIN/data0002.cab Infected:
not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Setups\orange_decoder.exe/WISE0021.BIN Infected:
not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Setups\orange_decoder.exe/WISE0023.BIN/data0002 Infected:
not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Setups\orange_decoder.exe/WISE0023.BIN/data0003 Infected:
not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Setups\orange_decoder.exe/WISE0023.BIN Infected:
not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Setups\orange_decoder.exe/WISE0024.BIN/NHInstall.exe Infected:
not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Setups\orange_decoder.exe/WISE0024.BIN/v2.0.4.cab/NHUninstaller.exe
Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Setups\orange_decoder.exe/WISE0024.BIN/v2.0.4.cab/NHelper.dll Infected:
not-a-virus:AdWare.Win32.NavExcel skipped
C:\Setups\orange_decoder.exe/WISE0024.BIN/v2.0.4.cab/NHUpdater.exe
Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Setups\orange_decoder.exe/WISE0024.BIN/v2.0.4.cab Infected:
not-a-virus:AdWare.Win32.NavExcel skipped
C:\Setups\orange_decoder.exe/WISE0024.BIN Infected:
not-a-virus:AdWare.Win32.NavExcel skipped
C:\Setups\orange_decoder.exe WiseSFX: infected - 22 skipped
C:\Setups\radmin21.zip/RADMIN21.EXE/AdmDll.dll Infected:
not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Setups\radmin21.zip/RADMIN21.EXE/raddrv.dll Infected:
not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Setups\radmin21.zip/RADMIN21.EXE/radmin.exe Infected:
not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Setups\radmin21.zip/RADMIN21.EXE/r_server.exe Infected:
not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Setups\radmin21.zip/RADMIN21.EXE Infected:
not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Setups\radmin21.zip ZIP: infected - 5 skipped
C:\Setups\setupwavtomp3.exe/WISE0016.BIN/data0002 Infected:
not-a-virus:AdWare.Win32.BookedSpace.a skipped
C:\Setups\setupwavtomp3.exe/WISE0016.BIN Infected:
not-a-virus:AdWare.Win32.BookedSpace.a skipped
C:\Setups\setupwavtomp3.exe/WISE0017.BIN Infected:
not-a-virus:AdWare.Win32.EZula.p skipped
C:\Setups\setupwavtomp3.exe/WISE0018.BIN/data0002 Infected:
not-a-virus:AdWare.Win32.BargainBuddy.v skipped
C:\Setups\setupwavtomp3.exe/WISE0018.BIN/data0003 Infected:
not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Setups\setupwavtomp3.exe/WISE0018.BIN Infected:
not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Setups\setupwavtomp3.exe/WISE0025.BIN/data0001.cab/Save.exe Infected:
not-a-virus:AdWare.Win32.SaveNow.e skipped
C:\Setups\setupwavtomp3.exe/WISE0025.BIN/data0001.cab/SaveUninst.exe
Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Setups\setupwavtomp3.exe/WISE0025.BIN/data0001.cab/Weather/Weather.exe
Infected: not-a-virus:AdWare.Win32.SaveNow skipped
C:\Setups\setupwavtomp3.exe/WISE0025.BIN/data0001.cab/Weather/Uninst.exe
Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Setups\setupwavtomp3.exe/WISE0025.BIN/data0001.cab Infected:
not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Setups\setupwavtomp3.exe/WISE0025.BIN Infected:
not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Setups\setupwavtomp3.exe WiseSFX: infected - 12 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped
C:\Winamp\Plugins\AudioScrobbler.log.txt Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped
C:\WINDOWS\Temp\ASHeuristic\!ReadMe_exe.vir Infected:
Backdoor.Win32.Gobot.v skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000003-00000000-0000000D-00001102-00000004-10071102}.CDF
Object is locked skipped
Scan process completed.

(Panda Activescan and HijackThis logs attached.)

Please help!

Thanks, B

Trogan · November 2007

Hi delphi,

Could you post a new HijackThis log, and then we can take it from there. Please post all logs in the forum rather than attaching them.

Thanks!

delphi · November 2007

Ok!

I'm sorry for that.

Here goes new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:00, on 2007-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Winamp\winampa.exe
C:\WINDOWS\system32\iid.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\program\AlfaClock Free Edition\AlfaClock.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\MagicDisc\MagicDisc.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\program\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehungersite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.187.220.93:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sök i NE - {ACECC8E8-45A5-41ec-A82A-B3363103E293} - C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [100% Clock] C:\program\AlfaClock Free Edition\AlfaClock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://ssd01.web.sh.se/iNotes6W.cab
O16 - DPF: {5965C249-A629-4516-8B5D-5B9730D61592} (ECP Launch Control) - http://portal.fragbite.com/ecplaunch.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.ne.se/sokverktyg/installation/setup.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://hembanken.danskebank.se/html/activex/e-Safekey/OEB/e-Safekey.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE (file missing)
--
End of file - 9593 bytes

Trogan · November 2007

Hi delphi,

Please do the following...

1. Make sure you can view hidden files and folders:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Click OK.

2. Find and delete the following files in RED:

C:\Documents and Settings\Björn\Lokalainställningar\Temp\nvcuninstall\tools\pskill.exe
C:\Documents and Settings\All Users\Dokument\!ReadMe.exe
C:\My Music\kazaa_lite.exe
C:\Setups\acidmax202843.exe
C:\Setups\eXeem_0.21_setup.exe
C:\Setups\orange_decoder.exe
C:\Setups\setupwavtomp3.exe
C:\Setups\nbs-irc_full.exe
C:\Setups\Cliprexdsfree.exe
C:\WINDOWS\Temp\ASHeuristic\!ReadMe_exe
C:\oaif.exe

3. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

4. You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Do not automatically generate reports
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot back into Normal Mode and post a new HijackThis log, along with the AVG Anti-Spyware log.

delphi · November 2007

Ok, here goes new logs!

AVG Anti-Spyware - Scan Report

+ Created at: 22:16:20 2007-11-21
+ Scan result:

C:\Setups\MsgPlus-301.exe/sponsor.exe -> Downloader.Swizzor.ag : Cleaned with backup (quarantined).
C:\Setups\MsgPlus-220.exe/70000011.exe -> Downloader.Swizzor.g : Cleaned with backup (quarantined).
C:\Documents and Settings\Björn\Cookies\björn@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.

::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:24:34, on 2007-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Winamp\winampa.exe
C:\WINDOWS\system32\iid.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\program\AlfaClock Free Edition\AlfaClock.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\MagicDisc\MagicDisc.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\program\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehungersite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.187.220.93:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sök i NE - {ACECC8E8-45A5-41ec-A82A-B3363103E293} - C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [100% Clock] C:\program\AlfaClock Free Edition\AlfaClock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://ssd01.web.sh.se/iNotes6W.cab
O16 - DPF: {5965C249-A629-4516-8B5D-5B9730D61592} (ECP Launch Control) - http://portal.fragbite.com/ecplaunch.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.ne.se/sokverktyg/installation/setup.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://hembanken.danskebank.se/html/activex/e-Safekey/OEB/e-Safekey.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE (file missing)
--
End of file - 9900 bytes

A note: it seems like explorer.exe always "restarts" after i've been using ie for a minute. the bottom toolbar gets black and then returns. the popups are very rare now, but i think there was one left still before i performed those steps.

Trogan · November 2007

Hi delphi,

I need to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button.
Save the file to your desktop, with the default name of uninstall_list
Copy & Paste the entire contents of that file in your in your next post.

delphi · November 2007

Hi Trogan, thanks for all help so far.

It seems I can't save that list. I click the button and nothing happens. And when I restart Hijackthis and press that button again, the program shuts down. Any ideas?

The pop-ups are worse than ever now, too.

Trogan · November 2007

Hi Delphi,

Ah, you have a Vundo infection and this is causing the pop-ups.

Please download ComboFix to your Desktop.

Double click on Combofix.exe & follow the prompts.
When the scan has finished, it shall produce a log for you. Post that log in your next reply, along with a new HijackThis log and the Uninstall list.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

delphi · November 2007

Hey! It seems to have helped!

here are my logs:

ComboFix 07-11-19.3 - Björn 2007-11-24 14:12:54.1 - NTFSx86
Running from: C:\Documents and Settings\Björn\Lokala inställningar\Temporary Internet Files\Content.IE5\EZM7XCSL\ComboFix[1].exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\g32.txt
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\wycdd.ini
C:\WINDOWS\system32\wycdd.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\LEGACY_ASPIMGR

((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.
2007-11-24 13:57 16,128 --a

C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-11-24 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2007-11-23 21:33 32,866 --a

C:\WINDOWS\slrundll.exe
2007-11-22 23:10 <KAT> d

C:\Program\MSXML 6.0
2007-11-22 23:01 140 --a

C:\WINDOWS\system32\spupdsvc.inf
2007-11-22 09:59 1,011,712

c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-22 09:54 34,136 --a

C:\WINDOWS\system32\wucltui.dll.mui
2007-11-22 09:54 25,944 --a

C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-22 09:54 25,944 --a

C:\WINDOWS\system32\wuapi.dll.mui
2007-11-22 09:54 20,312 --a

C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-21 17:43 <KAT> d

C:\Program\AVG Anti-Spyware 7.5
2007-11-21 17:43 <KAT> d

C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-21 17:43 10,872 --a

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-14 11:40 <KAT> d

C:\Program\SpywareBlaster
2007-11-12 21:39 <KAT> d

C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-12 19:51 <KAT> d

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-12 19:50 <KAT> d

C:\Program\SUPERAntiSpyware
2007-11-12 04:15 <KAT> d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 02:23 <KAT> d

C:\WINDOWS\system32\Kaspersky Lab
2007-11-12 02:23 <KAT> d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-12 02:14 <KAT> d

C:\Program\RegCleaner
2007-11-12 00:41 <KAT> d

C:\Program\Windows Live Safety Center
2007-11-11 20:13 <KAT> d

C:\Program\Mr QuestionMan
2007-11-05 20:25 <KAT> d

C:\Program\AlfaClock Free Edition
2007-10-27 11:09 <KAT> d

C:\Program\Chess-7
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 21:06

d

w C:\Program\Cubasis VST 4
2007-11-19 18:11

d

w C:\Program\DC++
2007-11-16 22:25

d

w C:\Program\TrackMania Nations ESWC
2007-11-15 11:46

d

w C:\Program\iTunes
2007-11-15 11:46

d

w C:\Program\iPod
2007-11-15 11:44

d

w C:\Program\QuickTime
2007-11-14 12:22

d

w C:\Program\MSN Messenger
2007-11-14 12:20

d

w C:\Program\Messenger Plus! Live
2007-11-14 12:17

d

w C:\Program\Google
2007-11-14 10:57

d

w C:\Program\FlashFXP
2007-11-12 20:40

d

w C:\Program\Lavasoft
2007-11-12 20:38

d

w C:\Program\Delade filer\Wise Installation Wizard
2007-11-12 03:50

d

w C:\Program\Audio Identifier
2007-11-07 23:43

d

w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2006-02-06 20:46 1,154 -c--a-w C:\Documents and Settings\Thomas\Application Data\wklnhst.dat
2004-06-16 21:35 547 ----a-w C:\Program\Norman Virus Control.lnk
2004-05-26 18:40 0 -c--a-w C:\Documents and Settings\Kristina\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95112A07-3420-49D3-AD2A-E1612B92CC7C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E8E30F-A4FD-4D50-8B1F-77FDE54D5EA5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ACECC8E8-45A5-41EC-A82A-B3363103E293}"= C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll [ ]
[HKEY_CLASSES_ROOT\clsid\{acecc8e8-45a5-41ec-a82a-b3363103e293}]
[HKEY_CLASSES_ROOT\NE.NeToolBar]
[HKEY_CLASSES_ROOT\TypeLib\{37686C62-D497-42E3-BAAB-78D89A74E151}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe" [2002-11-21 08:33]
"Steam"="" []
"swg"="C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-26 17:22]
"StartCCC"="C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:34]
"MessengerPlus3"="C:\Program\Messenger Plus! 3\MsgPlus.exe" [2006-09-28 23:03]
"msnmsgr"="C:\Program\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55]
"SpybotSD TeaTimer"="C:\Program\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"SUPERAntiSpyware"="C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Easy-PrintToolBox"="C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10]
"Openwares LiveUpdate"="C:\Program Files\LiveUpdate\LiveUpdate.exe" []
"Adobe Photo Downloader"="C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"WinampAgent"="C:\Winamp\winampa.exe" [2006-03-10 18:45]
"Net iD"="C:\WINDOWS\system32\iid.exe" [2006-03-02 09:22]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Tweak UI"="RUNDLL32.exe" [2004-08-04 09:34 C:\WINDOWS\system32\rundll32.exe]
"AtiPTA"="C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE" [2004-12-01 02:10]
"100% Clock"="C:\program\AlfaClock Free Edition\AlfaClock.exe" [2008-05-31 16:05]
"QuickTime Task"="C:\Program\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:34]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvspqn]
tuvspqn.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcyw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2003-05-28 15:37 394240 --a

C:\WINDOWS\System32\PSDrvCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SLService"=2 (0x2)
"RadClock"=2 (0x2)
"ose"=3 (0x3)
"MySql"=2 (0x2)
"MDM"=2 (0x2)
"Conntrm"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"iPodService"=3 (0x3)
"Adobe LM Service"=3 (0x3)
R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys
R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys
R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\PStrip.sys
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\C:\Program\EVEREST Home Edition\kerneld.wnt
S3 RadProbe;Radeon Probe Driver;C:\WINDOWS\system32\DRIVERS\RadProbe.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-02-13 11:20:00 C:\WINDOWS\Tasks\16 One Of Us.job"
"2007-11-22 09:57:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 14:28:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-24 14:35:05 - machine was rebooted
.
--- E O F ---

Uninstall_list

ACE Mega CoDecS Pack
Ad-Aware 2007
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0
Adobe Photoshop CS
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Type Manager 4.1
Adobe® Photoshop® Album Starter Edition 3.0
Ainsworth Sampler 4.2
AlfaClock Free Edition version 1.99 build May 2, 2007
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audiator3
AVG Anti-Spyware 7.5
Betsson Poker (remove only)
BJ Network Tool
BK's Winamp Ext.
BrainWave Generator
BSPlayer
Canon PhotoRecord
Canon PIXMA iP4000R
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CD-LabelPrint
Chess-7 2.1
ColorNick v2 plugin for Messenger Plus!
Cool Edit Pro 2.0
Creative Audio Console
Creative MediaSource
CuteFTP 7 Home
dBpoweramp Music Converter
DC++ 0.698
DivX Web Player
DMM Uninstall
Ear Power Training Center
Easy-WebPrint
EVEREST Home Edition v2.20
FasType Typing Tutorial 6
Feature Showcase Demo
FlashFXP v3
Football Manager 2005
FruityLoops Studio Producer Edition v4.01
Glosis 6
Google Toolbar for Internet Explorer
GuildFTPd FTP Deamon
Guitar Pro 4
Half-Life
HighMAT-tillägg till Microsoft Windows XP-guiden Skriv till CD-skiva
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Ink
InstantCopy
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD
InterVideo WinDVD 4
iPod for Windows 2005-06-26
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 1
Kaspersky Online Scanner
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
Magic ISO Maker v4.6 (build 0122)
MagicDisc 2.5.74
Max Payne 2
Messenger Plus! 3
Messenger Plus! Live
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - SVE
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0 Swedish Language Pack
Microsoft .NET Framework 3.0 Swedish Language Pack
Microsoft AutoRoute v11.0
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard - WE 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Picture It! Photo Standard 9
Microsoft Reader
Microsoft Works
Microsoft Works Suite-tillägg för Microsoft Word
mIRC
Mozart 6
MP3 WAV Converter 3.05
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MultiRes (remove only)
My MP3 Organizer version 1.6 Build 3
MySQL Servers and Clients 3.23.52
Nationalencyklopedin
Native Instruments Traktor DJ Audigy Edition
NE:s sökverktyg 2.0
NE-Fonter
Nero OEM
NeroVision Express 2 SE
Net iD 4.1
NFO Viewer
Panda ActiveScan
Pinnacle Hollywood FX 4.6
Power Tab Editor 1.7
PowerStrip 3 (remove only)
QuickTime
SAM2 (remove only)
Screen2Video ActiveX Control
Security Update för Microsoft .NET Framework 2.0 (kB928365)
Shockwave
Snabbkorrigering för Windows XP (KB914440)
Sony Vegas 4.0e
Soulseek Client 152
SoulSeek Client 156c
Spybot - Search & Destroy
SpywareBlaster v3.5.1
Startprogram för installation av Microsoft Works 2004
Steam
Steinberg Cubasis VST 4
StepMania (remove only)
Studio 8
StuffPlug-NG (Messenger Plus! Plugins)
Subtitle Workshop 2.51
SUPERAntiSpyware Free Edition
Säkerhetsuppdatering för Step by Step Interactive Training (KB898458)
Säkerhetsuppdatering för Step by Step Interactive Training (KB923723)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB928090)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB938127)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB939653)
Säkerhetsuppdatering för Windows Media Player (KB911564)
Säkerhetsuppdatering för Windows Media Player 10 (KB911565)
Säkerhetsuppdatering för Windows Media Player 10 (KB917734)
Säkerhetsuppdatering för Windows Media Player 10 (KB936782)
Säkerhetsuppdatering för Windows Media Player 6.4 (KB925398)
Säkerhetsuppdatering för Windows XP (KB883939)
Säkerhetsuppdatering för Windows XP (KB890046)
Säkerhetsuppdatering för Windows XP (KB893756)
Säkerhetsuppdatering för Windows XP (KB896358)
Säkerhetsuppdatering för Windows XP (KB896422)
Säkerhetsuppdatering för Windows XP (KB896423)
Säkerhetsuppdatering för Windows XP (KB896424)
Säkerhetsuppdatering för Windows XP (KB896428)
Säkerhetsuppdatering för Windows XP (KB896688)
Säkerhetsuppdatering för Windows XP (KB899587)
Säkerhetsuppdatering för Windows XP (KB899588)
Säkerhetsuppdatering för Windows XP (KB899591)
Säkerhetsuppdatering för Windows XP (KB900725)
Säkerhetsuppdatering för Windows XP (KB901017)
Säkerhetsuppdatering för Windows XP (KB901190)
Säkerhetsuppdatering för Windows XP (KB901214)
Säkerhetsuppdatering för Windows XP (KB902400)
Säkerhetsuppdatering för Windows XP (KB903235)
Säkerhetsuppdatering för Windows XP (KB904706)
Säkerhetsuppdatering för Windows XP (KB905414)
Säkerhetsuppdatering för Windows XP (KB905749)
Säkerhetsuppdatering för Windows XP (KB905915)
Säkerhetsuppdatering för Windows XP (KB908519)
Säkerhetsuppdatering för Windows XP (KB908531)
Säkerhetsuppdatering för Windows XP (KB911562)
Säkerhetsuppdatering för Windows XP (KB911567)
Säkerhetsuppdatering för Windows XP (KB911927)
Säkerhetsuppdatering för Windows XP (KB912812)
Säkerhetsuppdatering för Windows XP (KB912919)
Säkerhetsuppdatering för Windows XP (KB913446)
Säkerhetsuppdatering för Windows XP (KB913580)
Säkerhetsuppdatering för Windows XP (KB914388)
Säkerhetsuppdatering för Windows XP (KB914389)
Säkerhetsuppdatering för Windows XP (KB916281)
Säkerhetsuppdatering för Windows XP (KB917159)
Säkerhetsuppdatering för Windows XP (KB917344)
Säkerhetsuppdatering för Windows XP (KB917422)
Säkerhetsuppdatering för Windows XP (KB917953)
Säkerhetsuppdatering för Windows XP (KB918118)
Säkerhetsuppdatering för Windows XP (KB918439)
Säkerhetsuppdatering för Windows XP (KB918899)
Säkerhetsuppdatering för Windows XP (KB919007)
Säkerhetsuppdatering för Windows XP (KB920213)
Säkerhetsuppdatering för Windows XP (KB920214)
Säkerhetsuppdatering för Windows XP (KB920670)
Säkerhetsuppdatering för Windows XP (KB920683)
Säkerhetsuppdatering för Windows XP (KB920685)
Säkerhetsuppdatering för Windows XP (KB921398)
Säkerhetsuppdatering för Windows XP (KB921503)
Säkerhetsuppdatering för Windows XP (KB921883)
Säkerhetsuppdatering för Windows XP (KB922616)
Säkerhetsuppdatering för Windows XP (KB922760)
Säkerhetsuppdatering för Windows XP (KB922819)
Säkerhetsuppdatering för Windows XP (KB923191)
Säkerhetsuppdatering för Windows XP (KB923414)
Säkerhetsuppdatering för Windows XP (KB923689)
Säkerhetsuppdatering för Windows XP (KB923694)
Säkerhetsuppdatering för Windows XP (KB923980)
Säkerhetsuppdatering för Windows XP (KB924191)
Säkerhetsuppdatering för Windows XP (KB924270)
Säkerhetsuppdatering för Windows XP (KB924496)
Säkerhetsuppdatering för Windows XP (KB924667)
Säkerhetsuppdatering för Windows XP (KB925454)
Säkerhetsuppdatering för Windows XP (KB925486)
Säkerhetsuppdatering för Windows XP (KB925902)
Säkerhetsuppdatering för Windows XP (KB926255)
Säkerhetsuppdatering för Windows XP (KB926436)
Säkerhetsuppdatering för Windows XP (KB927779)
Säkerhetsuppdatering för Windows XP (KB927802)
Säkerhetsuppdatering för Windows XP (KB928090)
Säkerhetsuppdatering för Windows XP (KB928255)
Säkerhetsuppdatering för Windows XP (KB928843)
Säkerhetsuppdatering för Windows XP (KB929123)
Säkerhetsuppdatering för Windows XP (KB930178)
Säkerhetsuppdatering för Windows XP (KB931261)
Säkerhetsuppdatering för Windows XP (KB931784)
Säkerhetsuppdatering för Windows XP (KB932168)
Säkerhetsuppdatering för Windows XP (KB933729)
Säkerhetsuppdatering för Windows XP (KB935839)
Säkerhetsuppdatering för Windows XP (KB935840)
Säkerhetsuppdatering för Windows XP (KB936021)
Säkerhetsuppdatering för Windows XP (KB938829)
Säkerhetsuppdatering för Windows XP (KB941202)
Säkerhetsuppdatering för Windows XP (KB943460)
Ten Thumbs 4.1
TetriNet2
TrackMania Nations ESWC 1.7.9
Type Fast 1.0
Unlocker 1.8.5
Uppdatering för Windows XP (KB894391)
Uppdatering för Windows XP (KB896727)
Uppdatering för Windows XP (KB898461)
Uppdatering för Windows XP (KB900485)
Uppdatering för Windows XP (KB900930)
Uppdatering för Windows XP (KB904942)
Uppdatering för Windows XP (KB910437)
Uppdatering för Windows XP (KB911280)
Uppdatering för Windows XP (KB916595)
Uppdatering för Windows XP (KB920872)
Uppdatering för Windows XP (KB922582)
Uppdatering för Windows XP (KB925720)
Uppdatering för Windows XP (KB927891)
Uppdatering för Windows XP (KB929338)
Uppdatering för Windows XP (KB930916)
Uppdatering för Windows XP (KB931836)
Uppdatering för Windows XP (KB933360)
Uppdatering för Windows XP (KB936357)
Uppdatering för Windows XP (KB938828)
Valve Hammer Editor
WaveLab Lite
Ventrilo
VideoLAN VLC media player 0.8.1
VideoMach 3.1.1
Winamp (remove only)
Windows Communication Foundation
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Presentation Foundation
Windows Presentation Foundation Language Pack (SVE)
Windows Workflow Foundation
Windows Workflow Foundation SV Language Pack
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
VobSub v2.23 (Remove Only)
XIII
XML Paper Specification Shared Components Language Pack 1.0
XviD MPEG-4 Video Codec
XviD MPEG4 Video Codec (remove only)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39:43, on 2007-11-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Winamp\winampa.exe
C:\WINDOWS\system32\iid.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\program\AlfaClock Free Edition\AlfaClock.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\MagicDisc\MagicDisc.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehungersite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.187.220.93:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {95112A07-3420-49D3-AD2A-E1612B92CC7C} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Program\FlashFXP\IEFlash.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sök i NE - {ACECC8E8-45A5-41ec-A82A-B3363103E293} - C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [100% Clock] C:\program\AlfaClock Free Edition\AlfaClock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://ssd01.web.sh.se/iNotes6W.cab
O16 - DPF: {5965C249-A629-4516-8B5D-5B9730D61592} (ECP Launch Control) - http://portal.fragbite.com/ecplaunch.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.ne.se/sokverktyg/installation/setup.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://hembanken.danskebank.se/html/activex/e-Safekey/OEB/e-Safekey.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvspqn - tuvspqn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 10891 bytes

Trogan · November 2007

Sorry for the delay. I haven't forgotten about you. I will reply as soon as possible.

delphi · November 2007

No problem! It seems most of the viruses are gone. No pop-ups left.

Trogan · November 2007

Hi Delphi,

That's good to hear, but there is a little work left to do.

Please do the following...

1. Before we begin, we'll need to disable Spybots TeaTimer as it may interfere with the fix.

Open Spybot Search & Destroy
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts
Exit SpyBot

Also, make sure SuperAntiSpyware is not running.

2. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 update3.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
- J2SE Runtime Environment 5.0 Update 1
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

3. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {95112A07-3420-49D3-AD2A-E1612B92CC7C} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

4. Open Notepad and copy/paste the text in the Quote Box below into it:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvspqn]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as CFScript.txt to your Desktop

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

delphi · November 2007

Hello, here are the logs!

ComboFix 07-11-19.4 - Björn 2007-11-26 16:10:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1053.18.127 [GMT 1:00]
Running from: C:\Documents and Settings\Björn\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Björn\Skrivbord\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.
2007-11-26 14:21 <KAT> d

C:\Program\Delade filer\Java
2007-11-24 18:19 <KAT> d-a

C:\Program\dnuos-0.94
2007-11-24 14:35 <KAT> d

C:\WINDOWS\system32\config\systemprofile\Lokala instõllningar
2007-11-24 14:35 <KAT> d

C:\Documents and Settings\Thomas\Lokala instõllningar
2007-11-24 14:35 <KAT> d

C:\Documents and Settings\NetworkService\Lokala instõllningar
2007-11-24 14:35 <KAT> d

C:\Documents and Settings\LocalService\Lokala instõllningar
2007-11-24 14:35 <KAT> d

C:\Documents and Settings\Kristina\Lokala instõllningar
2007-11-24 14:35 <KAT> d

C:\Documents and Settings\Eva-Christina\Lokala instõllningar
2007-11-24 14:35 <KAT> d

C:\Documents and Settings\Bj÷rn\Lokala instõllningar
2007-11-24 14:35 <KAT> d

C:\Documents and Settings\Administrat÷r\Lokala instõllningar
2007-11-24 14:35 <KAT> d

C:\Documents and Settings\Administrat÷r.DELPHICOMP\Lokala instõllningar
2007-11-24 13:57 16,128 --a

C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-11-24 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2007-11-23 21:33 1,309,184 --a

C:\WINDOWS\system32\drivers\mtlstrm.sys
2007-11-23 21:33 126,686 --a

C:\WINDOWS\system32\drivers\mtlmnt5.sys
2007-11-23 21:33 32,866 --a

C:\WINDOWS\slrundll.exe
2007-11-22 23:10 <KAT> d

C:\Program\MSXML 6.0
2007-11-22 23:01 140 --a

C:\WINDOWS\system32\spupdsvc.inf
2007-11-22 09:59 1,011,712

c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-22 09:54 34,136 --a

C:\WINDOWS\system32\wucltui.dll.mui
2007-11-22 09:54 25,944 --a

C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-22 09:54 25,944 --a

C:\WINDOWS\system32\wuapi.dll.mui
2007-11-22 09:54 20,312 --a

C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-21 17:43 <KAT> d

C:\Program\AVG Anti-Spyware 7.5
2007-11-21 17:43 <KAT> d

C:\Documents and Settings\Björn\Application Data\Grisoft
2007-11-21 17:43 <KAT> d

C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-21 17:43 10,872 --a

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-14 11:40 <KAT> d

C:\Program\SpywareBlaster
2007-11-12 21:39 <KAT> d

C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-12 19:51 <KAT> d

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-12 19:50 <KAT> d

C:\Program\SUPERAntiSpyware
2007-11-12 19:50 <KAT> d

C:\Documents and Settings\Björn\Application Data\SUPERAntiSpyware.com
2007-11-12 04:15 <KAT> d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 02:23 <KAT> d

C:\WINDOWS\system32\Kaspersky Lab
2007-11-12 02:23 <KAT> d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-12 02:14 <KAT> d

C:\Program\RegCleaner
2007-11-12 00:41 <KAT> d

C:\Program\Windows Live Safety Center
2007-11-11 20:13 <KAT> d

C:\Program\Mr QuestionMan
2007-11-05 20:25 <KAT> d

C:\Program\AlfaClock Free Edition
2007-11-02 14:08 <KAT> d

C:\Documents and Settings\Björn\Application Data\AdobeAUM
2007-10-27 11:09 <KAT> d

C:\Program\Chess-7
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 13:21

d

w C:\Program\Java
2007-11-23 21:06

d

w C:\Program\Cubasis VST 4
2007-11-21 23:24

d

w C:\Documents and Settings\Björn\Application Data\uTorrent
2007-11-19 18:11

d

w C:\Program\DC++
2007-11-16 22:25

d

w C:\Program\TrackMania Nations ESWC
2007-11-15 11:46

d

w C:\Program\iTunes
2007-11-15 11:46

d

w C:\Program\iPod
2007-11-15 11:44

d

w C:\Program\QuickTime
2007-11-14 12:22

d

w C:\Program\MSN Messenger
2007-11-14 12:20

d

w C:\Program\Messenger Plus! Live
2007-11-14 12:17

d

w C:\Program\Google
2007-11-14 10:57

d

w C:\Program\FlashFXP
2007-11-12 20:40

d

w C:\Program\Lavasoft
2007-11-12 20:40

d

w C:\Documents and Settings\Björn\Application Data\Lavasoft
2007-11-12 20:38

d

w C:\Program\Delade filer\Wise Installation Wizard
2007-11-12 03:50

d

w C:\Program\Audio Identifier
2007-11-07 23:43

d

w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-10-12 20:30

d

w C:\Documents and Settings\Björn\Application Data\Screenshot Sender
2006-02-06 20:46 1,154 -c--a-w C:\Documents and Settings\Thomas\Application Data\wklnhst.dat
2004-07-28 12:15 8,274 -c--a-w C:\Documents and Settings\Björn\Application Data\wklnhst.dat
2004-06-16 21:35 547 ----a-w C:\Program\Norman Virus Control.lnk
2004-05-26 18:40 0 -c--a-w C:\Documents and Settings\Kristina\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2007-11-24_14.33.57.71"]snapshot@2007-11-24_14.33.57.71[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
- 2004-12-06 19:04:12 49,248 -c--a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 21:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-12-06 19:04:20 49,250 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 21:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2004-12-06 20:31:50 127,078 -c--a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 22:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ACECC8E8-45A5-41EC-A82A-B3363103E293}"= C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll [ ]
[HKEY_CLASSES_ROOT\clsid\{acecc8e8-45a5-41ec-a82a-b3363103e293}]
[HKEY_CLASSES_ROOT\NE.NeToolBar]
[HKEY_CLASSES_ROOT\TypeLib\{37686C62-D497-42E3-BAAB-78D89A74E151}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe" [2002-11-21 08:33]
"Steam"="" []
"swg"="C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-26 17:22]
"StartCCC"="C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:34]
"MessengerPlus3"="C:\Program\Messenger Plus! 3\MsgPlus.exe" [2006-09-28 23:03]
"msnmsgr"="C:\Program\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55]
"SUPERAntiSpyware"="C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Easy-PrintToolBox"="C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10]
"Openwares LiveUpdate"="C:\Program Files\LiveUpdate\LiveUpdate.exe" []
"Adobe Photo Downloader"="C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"WinampAgent"="C:\Winamp\winampa.exe" [2006-03-10 18:45]
"Net iD"="C:\WINDOWS\system32\iid.exe" [2006-03-02 09:22]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Tweak UI"="RUNDLL32.exe" [2004-08-04 09:34 C:\WINDOWS\system32\rundll32.exe]
"AtiPTA"="C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE" [2004-12-01 02:10]
"100% Clock"="C:\program\AlfaClock Free Edition\AlfaClock.exe" [2008-05-31 16:05]
"QuickTime Task"="C:\Program\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:34]
C:\Documents and Settings\Bj”rn\Start-meny\Program\Autostart\
MagicDisc.lnk - C:\Program\MagicDisc\MagicDisc.exe [2007-04-13 20:59:47]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2003-05-28 15:37 394240 --a

C:\WINDOWS\System32\PSDrvCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SLService"=2 (0x2)
"RadClock"=2 (0x2)
"ose"=3 (0x3)
"MySql"=2 (0x2)
"MDM"=2 (0x2)
"Conntrm"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"iPodService"=3 (0x3)
"Adobe LM Service"=3 (0x3)
R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys
R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys
R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\PStrip.sys
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\C:\Program\EVEREST Home Edition\kerneld.wnt
S3 RadProbe;Radeon Probe Driver;C:\WINDOWS\system32\DRIVERS\RadProbe.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-02-13 11:20:00 C:\WINDOWS\Tasks\16 One Of Us.job"
- C:\My Music\ABBA GOLD\Greatest Hits\16 One Of Us.mp3
"2007-11-22 09:57:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 16:17:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-26 16:20:08
C:\ComboFix2.txt ... 2007-11-24 14:35
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:22:40, on 2007-11-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Winamp\winampa.exe
C:\WINDOWS\system32\iid.exe
C:\Program\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\program\AlfaClock Free Edition\AlfaClock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program\MagicDisc\MagicDisc.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program\internet explorer\iexplore.exe
C:\program\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehungersite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.187.220.93:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Program\FlashFXP\IEFlash.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sök i NE - {ACECC8E8-45A5-41ec-A82A-B3363103E293} - C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [100% Clock] C:\program\AlfaClock Free Edition\AlfaClock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://ssd01.web.sh.se/iNotes6W.cab
O16 - DPF: {5965C249-A629-4516-8B5D-5B9730D61592} (ECP Launch Control) - http://portal.fragbite.com/ecplaunch.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.ne.se/sokverktyg/installation/setup.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://hembanken.danskebank.se/html/activex/e-Safekey/OEB/e-Safekey.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 10451 bytes

Trogan · November 2007

Hi,

two things:

1. What Anti-Virus software do you use?

2. I need to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button.
Save the file to your desktop, with the default name of uninstall_list
Copy & Paste the entire contents of that file in your in your next post.

delphi · November 2007

Hello again.

I don't use any anti-virus software atm: got tips? Unfortunately I don't have any money.

The "Program" folder keeps opening when I log on. Also, explorer.exe seems to restart once.

ACE Mega CoDecS Pack
Ad-Aware 2007
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0
Adobe Photoshop CS
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Type Manager 4.1
Adobe® Photoshop® Album Starter Edition 3.0
Ainsworth Sampler 4.2
AlfaClock Free Edition version 1.99 build May 2, 2007
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audiator3
AVG Anti-Spyware 7.5
Betsson Poker (remove only)
BJ Network Tool
BK's Winamp Ext.
BrainWave Generator
BSPlayer
Canon PhotoRecord
Canon PIXMA iP4000R
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CD-LabelPrint
Chess-7 2.1
ColorNick v2 plugin for Messenger Plus!
Cool Edit Pro 2.0
Creative Audio Console
Creative MediaSource
CuteFTP 7 Home
dBpoweramp Music Converter
DC++ 0.698
DivX Web Player
DMM Uninstall
Ear Power Training Center
Easy-WebPrint
EVEREST Home Edition v2.20
FasType Typing Tutorial 6
Feature Showcase Demo
FlashFXP v3
Football Manager 2005
FruityLoops Studio Producer Edition v4.01
Glosis 6
Google Toolbar for Internet Explorer
GuildFTPd FTP Deamon
Guitar Pro 4
Half-Life
HighMAT-tillägg till Microsoft Windows XP-guiden Skriv till CD-skiva
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Ink
InstantCopy
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD
InterVideo WinDVD 4
iPod for Windows 2005-06-26
iPod for Windows 2006-01-10
iTunes
Java(TM) 6 Update 3
Kaspersky Online Scanner
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
Magic ISO Maker v4.6 (build 0122)
MagicDisc 2.5.74
Max Payne 2
Messenger Plus! 3
Messenger Plus! Live
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - SVE
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0 Swedish Language Pack
Microsoft .NET Framework 3.0 Swedish Language Pack
Microsoft AutoRoute v11.0
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard - WE 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Picture It! Photo Standard 9
Microsoft Reader
Microsoft Works
Microsoft Works Suite-tillägg för Microsoft Word
mIRC
Mozart 6
MP3 WAV Converter 3.05
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MultiRes (remove only)
My MP3 Organizer version 1.6 Build 3
MySQL Servers and Clients 3.23.52
Nationalencyklopedin
Native Instruments Traktor DJ Audigy Edition
NE:s sökverktyg 2.0
NE-Fonter
Nero OEM
NeroVision Express 2 SE
Net iD 4.1
NFO Viewer
Panda ActiveScan
Pinnacle Hollywood FX 4.6
Power Tab Editor 1.7
PowerStrip 3 (remove only)
QuickTime
SAM2 (remove only)
Screen2Video ActiveX Control
Security Update för Microsoft .NET Framework 2.0 (kB928365)
Shockwave
Snabbkorrigering för Windows XP (KB914440)
Sony Vegas 4.0e
Soulseek Client 152
SoulSeek Client 156c
Spybot - Search & Destroy
SpywareBlaster v3.5.1
Startprogram för installation av Microsoft Works 2004
Steam
Steinberg Cubasis VST 4
StepMania (remove only)
Studio 8
StuffPlug-NG (Messenger Plus! Plugins)
Subtitle Workshop 2.51
SUPERAntiSpyware Free Edition
Säkerhetsuppdatering för Step by Step Interactive Training (KB898458)
Säkerhetsuppdatering för Step by Step Interactive Training (KB923723)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB928090)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB938127)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB939653)
Säkerhetsuppdatering för Windows Media Player (KB911564)
Säkerhetsuppdatering för Windows Media Player 10 (KB911565)
Säkerhetsuppdatering för Windows Media Player 10 (KB917734)
Säkerhetsuppdatering för Windows Media Player 10 (KB936782)
Säkerhetsuppdatering för Windows Media Player 6.4 (KB925398)
Säkerhetsuppdatering för Windows XP (KB883939)
Säkerhetsuppdatering för Windows XP (KB890046)
Säkerhetsuppdatering för Windows XP (KB893756)
Säkerhetsuppdatering för Windows XP (KB896358)
Säkerhetsuppdatering för Windows XP (KB896422)
Säkerhetsuppdatering för Windows XP (KB896423)
Säkerhetsuppdatering för Windows XP (KB896424)
Säkerhetsuppdatering för Windows XP (KB896428)
Säkerhetsuppdatering för Windows XP (KB896688)
Säkerhetsuppdatering för Windows XP (KB899587)
Säkerhetsuppdatering för Windows XP (KB899588)
Säkerhetsuppdatering för Windows XP (KB899591)
Säkerhetsuppdatering för Windows XP (KB900725)
Säkerhetsuppdatering för Windows XP (KB901017)
Säkerhetsuppdatering för Windows XP (KB901190)
Säkerhetsuppdatering för Windows XP (KB901214)
Säkerhetsuppdatering för Windows XP (KB902400)
Säkerhetsuppdatering för Windows XP (KB903235)
Säkerhetsuppdatering för Windows XP (KB904706)
Säkerhetsuppdatering för Windows XP (KB905414)
Säkerhetsuppdatering för Windows XP (KB905749)
Säkerhetsuppdatering för Windows XP (KB905915)
Säkerhetsuppdatering för Windows XP (KB908519)
Säkerhetsuppdatering för Windows XP (KB908531)
Säkerhetsuppdatering för Windows XP (KB911562)
Säkerhetsuppdatering för Windows XP (KB911567)
Säkerhetsuppdatering för Windows XP (KB911927)
Säkerhetsuppdatering för Windows XP (KB912812)
Säkerhetsuppdatering för Windows XP (KB912919)
Säkerhetsuppdatering för Windows XP (KB913446)
Säkerhetsuppdatering för Windows XP (KB913580)
Säkerhetsuppdatering för Windows XP (KB914388)
Säkerhetsuppdatering för Windows XP (KB914389)
Säkerhetsuppdatering för Windows XP (KB916281)
Säkerhetsuppdatering för Windows XP (KB917159)
Säkerhetsuppdatering för Windows XP (KB917344)
Säkerhetsuppdatering för Windows XP (KB917422)
Säkerhetsuppdatering för Windows XP (KB917953)
Säkerhetsuppdatering för Windows XP (KB918118)
Säkerhetsuppdatering för Windows XP (KB918439)
Säkerhetsuppdatering för Windows XP (KB918899)
Säkerhetsuppdatering för Windows XP (KB919007)
Säkerhetsuppdatering för Windows XP (KB920213)
Säkerhetsuppdatering för Windows XP (KB920214)
Säkerhetsuppdatering för Windows XP (KB920670)
Säkerhetsuppdatering för Windows XP (KB920683)
Säkerhetsuppdatering för Windows XP (KB920685)
Säkerhetsuppdatering för Windows XP (KB921398)
Säkerhetsuppdatering för Windows XP (KB921503)
Säkerhetsuppdatering för Windows XP (KB921883)
Säkerhetsuppdatering för Windows XP (KB922616)
Säkerhetsuppdatering för Windows XP (KB922760)
Säkerhetsuppdatering för Windows XP (KB922819)
Säkerhetsuppdatering för Windows XP (KB923191)
Säkerhetsuppdatering för Windows XP (KB923414)
Säkerhetsuppdatering för Windows XP (KB923689)
Säkerhetsuppdatering för Windows XP (KB923694)
Säkerhetsuppdatering för Windows XP (KB923980)
Säkerhetsuppdatering för Windows XP (KB924191)
Säkerhetsuppdatering för Windows XP (KB924270)
Säkerhetsuppdatering för Windows XP (KB924496)
Säkerhetsuppdatering för Windows XP (KB924667)
Säkerhetsuppdatering för Windows XP (KB925454)
Säkerhetsuppdatering för Windows XP (KB925486)
Säkerhetsuppdatering för Windows XP (KB925902)
Säkerhetsuppdatering för Windows XP (KB926255)
Säkerhetsuppdatering för Windows XP (KB926436)
Säkerhetsuppdatering för Windows XP (KB927779)
Säkerhetsuppdatering för Windows XP (KB927802)
Säkerhetsuppdatering för Windows XP (KB928090)
Säkerhetsuppdatering för Windows XP (KB928255)
Säkerhetsuppdatering för Windows XP (KB928843)
Säkerhetsuppdatering för Windows XP (KB929123)
Säkerhetsuppdatering för Windows XP (KB930178)
Säkerhetsuppdatering för Windows XP (KB931261)
Säkerhetsuppdatering för Windows XP (KB931784)
Säkerhetsuppdatering för Windows XP (KB932168)
Säkerhetsuppdatering för Windows XP (KB933729)
Säkerhetsuppdatering för Windows XP (KB935839)
Säkerhetsuppdatering för Windows XP (KB935840)
Säkerhetsuppdatering för Windows XP (KB936021)
Säkerhetsuppdatering för Windows XP (KB938829)
Säkerhetsuppdatering för Windows XP (KB941202)
Säkerhetsuppdatering för Windows XP (KB943460)
Ten Thumbs 4.1
TetriNet2
TrackMania Nations ESWC 1.7.9
Type Fast 1.0
Unlocker 1.8.5
Uppdatering för Windows XP (KB894391)
Uppdatering för Windows XP (KB896727)
Uppdatering för Windows XP (KB898461)
Uppdatering för Windows XP (KB900485)
Uppdatering för Windows XP (KB900930)
Uppdatering för Windows XP (KB904942)
Uppdatering för Windows XP (KB910437)
Uppdatering för Windows XP (KB911280)
Uppdatering för Windows XP (KB916595)
Uppdatering för Windows XP (KB920872)
Uppdatering för Windows XP (KB922582)
Uppdatering för Windows XP (KB925720)
Uppdatering för Windows XP (KB927891)
Uppdatering för Windows XP (KB929338)
Uppdatering för Windows XP (KB930916)
Uppdatering för Windows XP (KB931836)
Uppdatering för Windows XP (KB933360)
Uppdatering för Windows XP (KB936357)
Uppdatering för Windows XP (KB938828)
Valve Hammer Editor
WaveLab Lite
Ventrilo
VideoLAN VLC media player 0.8.1
VideoMach 3.1.1
Winamp (remove only)
Windows Communication Foundation
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Presentation Foundation
Windows Presentation Foundation Language Pack (SVE)
Windows Workflow Foundation
Windows Workflow Foundation SV Language Pack
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
VobSub v2.23 (Remove Only)
XIII
XML Paper Specification Shared Components Language Pack 1.0
XviD MPEG-4 Video Codec
XviD MPEG4 Video Codec (remove only)

Trogan · November 2007

Hi Delphi,

I see leftovers of Norman, so lets remove that first.

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

@echo off
sc stop "Norman Type-R"
sc delete "Norman Type-R"
exit

Double click FixServices.bat. A window will open and close. This is normal.

Now download one of the following Anti-Virus programs.

AntiVir << I recommend this
AVG Free Edition
avast! 4 Home Edition

Please post a new HijackThis log, and let me know if the following has stopped:

The "Program" folder keeps opening when I log on. Also, explorer.exe seems to restart once.

Trogan · November 2007

Sorry, forgot to complete the instructions for the batch file.

delphi · November 2007

Hello, it doesn't seem to help. Explorer.exe restarts and C:\Program\ opens. I ran FixServices.bat without the "exit" line, so I could see what was going on: it couldn't find the service.

I installed Avira AntiVir.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:20, on 2007-11-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Winamp\winampa.exe
C:\WINDOWS\system32\iid.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\program\AlfaClock Free Edition\AlfaClock.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\MagicDisc\MagicDisc.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program\internet explorer\iexplore.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Program\HijackThis\HijackThis.exe
C:\Program\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\sched.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehungersite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.187.220.93:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Program\FlashFXP\IEFlash.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sök i NE - {ACECC8E8-45A5-41ec-A82A-B3363103E293} - C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [100% Clock] C:\program\AlfaClock Free Edition\AlfaClock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [RemoteCenter] C:\Program\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://ssd01.web.sh.se/iNotes6W.cab
O16 - DPF: {5965C249-A629-4516-8B5D-5B9730D61592} (ECP Launch Control) - http://portal.fragbite.com/ecplaunch.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.ne.se/sokverktyg/installation/setup.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://hembanken.danskebank.se/html/activex/e-Safekey/OEB/e-Safekey.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 10988 bytes

delphi · November 2007

Hello. I've managed to get rid of the C:\program opening. Was some registry entry without "". (Used a small tool created for the purpose of correcting this.)

Trogan · November 2007

Can you run a new scan with ComboFix and post it here please.

delphi · November 2007

okay, here it is!

ComboFix 07-11-19.4 - Björn 2007-11-29 22:53:23.3 - NTFSx86
Running from: C:\Documents and Settings\Björn\Skrivbord\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.
2007-11-29 20:47 <KAT> d

C:\WINDOWS\LastGood
2007-11-29 11:48 <KAT> d

C:\Program\Avira
2007-11-29 11:48 <KAT> d

C:\Documents and Settings\All Users\Application Data\Avira
2007-11-27 23:06 <KAT> d

C:\Documents and Settings\Eva-Christina\Application Data\iid
2007-11-26 14:21 <KAT> d

C:\Program\Delade filer\Java
2007-11-26 14:21 69,632 --a

C:\WINDOWS\system32\javacpl.cpl
2007-11-24 18:19 <KAT> d-a